[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
- F5 O* c" H) X
" Q* P3 z4 ^8 w6 J5 QKeyboard Interrupt Hook using I/O APIC

+ {0 ?2 q4 @8 M9 UBy: chpie
# X0 H1 |1 C' E! F8 p" ^/ AKeyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.


Summary :: Using the 8259a compatible PIC to be deliver the interrupt
! _) Y# J/ h  p; N, v' E0 msignal by Delivery mode of the I/O APIC to be the ExtINT,
5 M" b7 Q  u2 f( a! O8 kthe interrupt related by the IRQ 1 able to be not refer
2 M0 s7 ~8 f. L2 [9 ^- r$ kthe I/O APIC's Redirection Table.

- _/ a( j. l* |3 x. O; }* k- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

Flow ::

4 S* V$ b. b& r: d0 _3 _- q1. IRQ 1 Assert !!!
: ]$ S- Q. C6 |2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
2 Y7 Y' [2 K/ @8 E7 B6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
" s# L' H0 B& j" A4 P/ m8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
! q- G: A% b+ `: \) p/ K12. our interrupt handler executed.

* G0 |: S& P; a: p& `  L
: k8 M1 m  K% S) S! k7 M% psourcecode and binary are available on the
% j1 a# o! s& h# K5 R- uhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip